Cloudflare’s new speed and privacy enhancing domain name system (DNS) servers, launched on Sunday, are also part of an experiment being conducted in partnership with the Asia Pacific Network Information Centre (APNIC).
The experiment aims to understand how DNS can be improved in terms of performance, security, and privacy.
“We are now critically reliant on the integrity of the DNS, yet the details of the way it operates still remains largely opaque,” wrote APNIC’s chief scientist Geoff Huston in a blog post.
“We are aware that the DNS has been used to generate malicious denial of service attacks, and we are keen to understand if there are simple and widely deployable measures that can be taken to mitigate such attacks. The DNS relies on caching to operate efficiently and quickly, but we are still unsure as to how well caching actually performs. We are also unclear how much of the DNS is related to end user or application requirements for name resolution, and how much is related to the DNS chattering to itself.”
Also read: Failing to secure DNS is ‘savage ignorance’
Huston, an Internet Hall of Fame inductee, has a long-standing interest in DNS, and is a strong supporter of a proposal that promises to improve DNS resilience against DDoS (distributed denial of service) attacks. He’s previously said that failing to secure DNS is savage ignorance.
The Cloudflare-APNIC experiment uses two IPv4 address ranges, 184.108.40.206/24 and 220.127.116.11/24, which have been reserved for research use. Cloudflare’s new DNS uses two addresses within those ranges, 18.104.22.168 and 22.214.171.124.
These address ranges were originally configured as “dark traffic addresses”, and some years ago APNIC partnered with Google to analyse the unsolicited traffic directed at them. There was a lot of it.
“Our initial work with it certainly showed it to be an unusually strong attractor for bad traffic. At the time we stopped doing it with Google, it was over 50 gigabits per second. Quite frankly, few folk can handle that much noise,” Huston told ZDNet on Wednesday.
By putting Cloudflare’s DNS on these research addresses, APNIC gets to see the noise as well as the DNS traffic — or at least “a certain factored amount” of it — for research purposes.
Huston emphasised that APNIC intends to protect users’ privacy. “DNS is remarkably informative about what users do, if you inspect it closely, and none of us are interested in doing that,” he said.
Indeed, Cloudflare’s aim is to create, as the company’s chief executive officer Matthew Prince put it, “the internet’s fastest, privacy-first consumer DNS service”.
While 126.96.36.199 is meant to have been used only for research, the Cloudflare-APNIC experiment has revealed that many operational systems have been using it in a variety of dirty hacks that breach internet routing standards.
Twitter cybersecurity celebrity @SwiftOnSecurity has been retweeting some of the more egregious allegations, such as 188.8.131.52 being used by Fortinet VPN as the virtual endpoint; 184.108.40.206 being used as the default logout for Nomadix controllers, which are primarily used in hospitality industry environments; AT&T Gigapower using 220.127.116.11 on an internal interface on at least one model of router-gateway, the Pace 5268AC, which effectively blocks this address; and even Vodafone Germany using it as an image caching server on their mobile network.
Huston is familiar with usages like this, and has also seen Wi-Fi hotspots using 18.104.22.168 as their router address. He’s not impressed.
“Some folk, without any material to justify it, started configuring 22.214.171.124. Now, I can start using your IP address, I suppose, but we’re both going to have a problem,” Huston told ZDNet, laughing.
“You should never have done it in the first place. You’re squatting on somebody else’s address. That’s a bad thing,” he said.
“In this case, I’m not sure that it really impacts upon the folk who are advertising the address, and to some extent because I am looking at the junk traffic that hits that address, it all adds to the interesting junk. But you shouldn’t be doing it.”
While Huston has yet to analyse any of the junk traffic in this new experiment, he said that it can still be measured in multiple gigabits per second.
“There’s a lot of rubbish out there,” he said.
Cloudflare’s new Domain Name System promises to both speed up your internet access and protect your privacy.
APNIC and CloudFlare announced the free 126.96.36.199 DNS resolver service, which is intended as a drop-in replacement to protect your privacy from providers.
Cloudflare’s encryption secret? Gelatinous floating blobs.
Cisco patches a severe flaw in switch deployment software that can be attacked with crafted messages sent to a port that’s open by default.
The service is being sunsetted in favor of FireBase Dynamic Links for developers, while regular users are advised to use competing services.